This site uses cookies to store information on your computer. Some are essential to make our site work; others help us improve the user experience. By using the site, you consent to the placement of these cookies. Read our privacy policy to learn more.

By expanding its online services, the IRS is putting taxpayers’ data
at greater risk, the Treasury Inspector General for Tax Administration
told Congress on Tuesday.

“Providing taxpayers more avenues to obtain answers to their tax
questions or to access their own tax records online . . . provides
more opportunities for exploitation by hackers and other fraudsters,”
warned Russell George in testimony before the Senate Finance Committee.

George and IRS Commissioner John Koskinen testified before the
committee, which is charged with oversight of the IRS, about the
recent revelation that cybercriminals
had breached the security protocols of the Get Transcript online
application, a service for taxpayers to obtain prior-year tax returns
for various purposes such as loans and student financial aid.

According to Koskinen, the cybercriminals overcame a multistep
authentication process that required the taxpayer’s Social Security
number, date of birth, tax filing status, and home address. They also
had to answer what the IRS calls several “out-of-wallet” questions
(i.e., knowledge-based authentication questions) that only the
taxpayer would normally know, such as the amount of a monthly home or
car payment. Because the cybercriminals had this other information,
Koskinen explained that the IRS believes that it was dealing with
sophisticated organized crime syndicates.

In his testimony, however, George noted that the proliferation of
data breaches, the amount of information freely available on the
internet, and the expansion of e-commerce have combined to make
knowledge-based authentication less secure.

According to Koskinen, since the data breach, about 13,000
questionable returns were filed for tax year 2014 for which the IRS
issued refunds totaling about $39 million (average of $3,000 per
return). The IRS is in the process of determining how many were filed
by the actual taxpayers and how many involved stolen identities. The
incident is also being investigated by TIGTA.

The IRS suspended the Get Transcript application after discovering
the breach and is notifying the approximately 200,000 affected
taxpayers of the attempts to obtain their data. The agency has already
notified the approximately 100,000 taxpayers who had their data
compromised and has offered free credit monitoring and suggested that
affected taxpayers obtain an identity protection personal
identification number (IP PIN), which it uses for other victims of
identity theft.

However, George warned that “the risk for this type of unauthorized
access to tax accounts will continue to grow as the IRS focuses its
efforts on delivering taxpayers self-assisted interactive online
tools.” He noted, for example, that the IRS is preparing to launch a
secure messaging pilot program in fiscal year 2016, which would lead
to a “broader taxpayer digital communication rollout in the future.”
He also testified that his agency has found security weaknesses
throughout IRS systems.